NCSC: It's Time for CISOs to Prioritize Accessibility

Written by

A leading UK security agency has urged organizations to help reduce cyber risk by ensuring accessibility is built into cybersecurity policies, processes and technologies.

Lee C from the NCSC’s Sociotechnical and Risk Group cited government statistics revealing that nearly a quarter (22%) of British working age adults are disabled, with 4.9 million currently in the workforce.

“There are many reasons to address accessibility, whether meeting legal requirements, delivering better operational outcomes, or attracting and retaining a more diverse set of talent,” he argued.

“Addressing accessibility also provides cybersecurity benefits by making systems more usable and making human errors or workarounds less likely. Conversely, if we fail to consider accessibility, these risks increase.”

Read more on disability in cybersecurity: Diversifying Cyber: A Focus on Neurodiversity and Physical Disability.

He gave several examples of how security can be inaccessible for some people. These include awareness campaigns not written in simple language; complex interfaces and audio-only/visual-only warnings; and color schemes that may be inappropriate for those with color blindness.

Lee C argued that accessibility is often seen as “someone else’s responsibility,” or that usability and security cannot co-exist.

“This is surprising given the number of incidents which still claim ‘human error’ as a contributing factor,” he added.

“Considering accessibility within your security requirements is a great way of ensuring that you are actively considering your ‘human factors risks,’ and that you are stress testing your security against the conditions where people will find it most difficult to use, and where human errors will be most likely.”

The NCSC recommends that security leaders:

  • Consult more in their security decision-making processes and encourage feedback
  • Be open to different ways of realizing their security requirements: i.e., don’t compromise on the “what” but be flexible on the “how”
  • Treat accessibility and usability as an intrinsic part of any security requirement, rather than a separate add on, including asking vendors for accessibility statements on their products

What’s hot on Infosecurity Magazine?